TopSyde
AuditTrial
Get your free site audit30-Day Free Trial
Digital Agency340+ client sites protectedWhite-label managed hosting + TopSyde Sentinel security program

Outcome

From a fleet-wide re-infection problem to zero — across 340+ client sites.

Tamer Designs kept cleaning client sites only to watch the casino spam come back days later — across a portfolio of 340+ WordPress sites. TopSyde Sentinel found the persistence vectors every prior cleanup had missed, fleet-wide, and the re-infections stopped.

Tamer Designs

tamerdesigns.com
··7 min read

Last updated: June 24, 2026

Before / After

4 key metrics

Spam re-infections per quarter (fleet-wide)

Before20+
After

0

Eliminated

Mean time to detect a compromise

Before~11 days
After

<24 hrs

Daily auto-scans

Backdoors & hidden admins removed (first 30 days)

Before0 found by prior tools
After

63 removed

Caught fleet-wide

Client sites flagged by Google for spam

Before9
After

0

All cleared

The Challenge

Tamer Designs does beautiful work at volume, and for years that work mostly stayed online without drama. Then a wave of AI-generated WordPress spam campaigns swept the portfolio — and the agency discovered that cleaning a compromised site is the easy part. Keeping a 340-site fleet clean was the part nobody could crack.

The pattern repeated across dozens of clients:

  • The spam kept coming back. A site would get scrubbed of injected casino posts and hidden link-farms, only for the same content to reappear within a week — and with hundreds of sites in the portfolio, something was always re-infected.
  • The in-site security plugin kept saying "clean." Wordfence ran inside each site and reported no issues — but it was running inside the very site that was already compromised, blind to the persistence mechanism that kept letting the attacker back in.
  • Google started penalizing clients. Nine client sites were flagged for cloaked gambling content injected into real pages — content the clients had never published and couldn't even see. Rankings tanked, and the support tickets piled up.
  • No fleet-wide visibility. With 340+ client sites spread across a mix of hosts, nobody could answer "which of our clients is compromised right now?" without logging into each one — an impossible task at that scale.

The agency didn't need another scanner that emails alerts. They needed something that could find what the last cleanup missed — across hundreds of sites at once — and remove it.

The Approach

TopSyde took over managed hosting for the entire fleet and put every site under TopSyde Sentinel, our AI-driven security layer. The key difference: Sentinel works from outside the site over SSH, so it can see what an in-site plugin can't — and it does it on every site, every day, without anyone logging in.

Step 1 — Onboard the fleet and scan from the outside

Each site was connected to the TopSyde portal over an isolated, per-site SSH key — nothing installed inside the site that an attacker could disable. Sentinel then ran a baseline scan on all 340+ sites: verifying WordPress core against official wordpress.org checksums, diffing every plugin against its official package, and sweeping the filesystem and database for backdoor signatures and injected spam.

Step 2 — Find the persistence vectors

This is where the re-infection mystery unraveled — at scale. Across the fleet, Sentinel surfaced what the prior tooling had missed:

  • A malicious must-use plugin auto-loading on every request and re-injecting casino spam into pages — the reason the spam "came back" days after each cleanup. It turned up on a whole cluster of related client sites.
  • Attacker-created application passwords — REST API keys that survive admin password resets and act as a quiet back door. On several sites no malicious files existed at all, which is exactly why every previous cleanup had "worked" and failed.
  • Hidden administrator accounts, cloaked from the WordPress Users list and deletion-protected.
  • Timestomped webshells in theme folders, their modified dates faked to old years to blend in with legitimate theme files.

Across the first 30 days, Sentinel found and removed 63 backdoors and rogue admin accounts fleet-wide that the agency's previous scanners had never reported.

Step 3 — Remediate reversibly, at scale

Malware was quarantined rather than deleted — moved to a holding area and restorable in one click. Tampered core and plugin files were reinstalled from official sources. Injected spam posts and cloaked page content were stripped (with WordPress revisions kept as a safety net), and every rogue application password and hidden admin was revoked. Nothing Sentinel did was destructive — which is what made it safe to run unattended across hundreds of sites.

Step 4 — Make it daily, fleet-wide, and invisible

Sentinel now scans every client site automatically, every day. High-confidence threats are auto-cleaned the moment they're found; anything ambiguous waits for one-click approval in the portal. The agency sees fleet-wide "likely compromised" status at a glance across all 340+ sites — and the end clients never see TopSyde at all.

The Results

Within the first quarter, the fleet-wide re-infection cycle was over:

  • Spam re-infections dropped from 20+ per quarter across the fleet to zero. The persistence vectors were gone, so the spam had no way back in.
  • 63 backdoors and hidden admin accounts were removed in the first 30 days — every one of them invisible to the prior in-site scanners.
  • All nine Google-flagged sites were fully cleaned and cleared, and organic rankings recovered over the following weeks.
  • Mean time to detect a compromise fell from roughly 11 days to under 24 hours, because every site is now scanned daily instead of whenever someone noticed something wrong.
  • All 340+ client sites are now under continuous, reversible protection — at no added cost over their managed hosting.

Why It Worked

Three things, in combination:

  1. Outside-in beats inside-out. Sentinel scans the real filesystem and database over SSH, so it isn't blind the way an in-site plugin is once a site is compromised — and it does it on every site in the fleet.
  2. It hunts persistence, not just payloads. Hidden admins, application-password REST keys, timestomped backdoors, and spam-injecting must-use plugins are the specific reasons "the spam comes back" — and they're exactly what Sentinel looks for.
  3. It scales without headcount. Daily automated scanning plus reversible auto-remediation means 340+ sites stay protected without the agency hiring a security team to babysit them.

Frequently Asked Questions

How does this work across hundreds of sites without a security team?

Sentinel scans every site automatically, every day, and scores findings by severity. High-confidence threats are auto-cleaned; everything else surfaces in one fleet-wide dashboard for one-click approval. The agency manages exceptions, not the scanning itself — so the workload doesn't grow linearly with the site count.

What made the spam keep coming back before TopSyde?

Persistence vectors that the previous cleanups never found — primarily a spam-injecting must-use plugin and attacker-created application passwords (REST API keys that survive password changes). Each cleanup removed the visible spam but left the mechanism that re-created it, somewhere in the fleet.

Did Sentinel cost extra on top of hosting?

No. TopSyde Sentinel is included free on every plan. The agency pays for managed hosting; the daily AI malware scanning and reversible removal come with it — on all 340+ sites.

Could the automatic cleanup have broken a client site?

Remediation is reversible by design — malware is quarantined rather than deleted, core and plugin files are reinstalled from official sources, and content edits create WordPress revisions. Only high-confidence, unambiguous threats are ever cleaned automatically; everything else waits for one-click approval.

Does the agency's client see that TopSyde is involved?

No. The arrangement is white-label by default. Tamer Designs stays in front of every client relationship; TopSyde and Sentinel run invisibly behind it.

The Stack — Named, Not Hidden

We tell you exactly what runs underneath. No proprietary black box.

See our full stack →
Kinsta managed WordPressCloudflare WAF + CDNTopSyde Sentinel (daily AI malware scanning)Daily incremental backups (30-day retention)TopSyde portal & monitoring

Business Outcomes

  • Recovered organic rankings on nine client sites Google had penalized for cloaked gambling content the clients never published.
  • Ended the “we cleaned it and it came back” cycle across the entire 340-site fleet by finding and removing the persistence vectors prior cleanups left behind.
  • Protected the agency's reputation at scale — no more recurring “your site got hacked again” calls from clients.
  • Every one of 340+ client sites now scanned daily with reversible auto-remediation, included at no added cost.
Marcus Webb
Marcus Webb

DevOps & Security Lead

12+ years DevOps, Linux & cloud infrastructure certified

Marcus leads infrastructure and security at TopSyde, managing the server fleet and AI monitoring systems that keep client sites fast and protected. Former sysadmin turned WordPress hosting specialist.

XLinkedIn

More Case Studies

View all →
Creative Agency100+ sites managed

100+ sites managed at 99.99% uptime — zero incident calls in the last 12 months.

99.99%Average uptime across portfolio
Fresh Ground Thinking
E-Commerce16 WooCommerce stores managed

100% uptime across 16 client stores through Black Friday — and a 64% lift in mobile conversion.

320 msPeak-sale checkout response time (portfolio avg)
Supernova Digital
Brand Agency10+ brand sites managed

Sub-1.5s LCP across the brand portfolio — premium design that loads as fast as it looks.

1.4 sAverage mobile LCP
Cupola Creative

Want results like this?

Direct access to a senior WordPress developer. Transparent stack. No metered hours.

Talk to Us About Your PortfolioMore Case Studies